CVE-2021-41300 - OpenCVE

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ecoa	Ecs Router Controller-ecs Firmware Riskbuster Firmware Riskterminator Riskbuster Ecs Router Controller-ecs

Configuration 1 [-]

AND

cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2021-09-30T00:00:00

Updated: 2021-09-30T10:41:05

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41300

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-30T11:15:07.923

Modified: 2021-10-07T14:34:36.233

Link: CVE-2021-41300

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "ECS Router Controller ECS (FLASH)", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskBuster Terminator E6L45", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskBuster System RB 3.0.0", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskBuster System TRANE 1.0", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "Graphic Control Software", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "SmartHome II E9246", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskTerminator", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}], "datePublic": "2021-09-30T00:00:00", "descriptions": [{"lang": "en", "value": "ECOA BAS controller\u2019s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-30T10:41:05", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html"}], "solutions": [{"lang": "en", "value": "Contact tech support from ECOA."}], "source": {"advisory": "TVN-202109016", "discovery": "EXTERNAL"}, "title": "ECOA BAS controller - Insufficiently Protected Credentials-2", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-09-30T10:13:00.000Z", "ID": "CVE-2021-41300", "STATE": "PUBLIC", "TITLE": "ECOA BAS controller - Insufficiently Protected Credentials-2"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ECS Router Controller ECS (FLASH)", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskBuster Terminator E6L45", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskBuster System RB 3.0.0", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskBuster System TRANE 1.0", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "Graphic Control Software", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "SmartHome II E9246", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskTerminator", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}]}, "vendor_name": "ECOA"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ECOA BAS controller\u2019s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html"}]}, "solution": [{"lang": "en", "value": "Contact tech support from ECOA."}], "source": {"advisory": "TVN-202109016", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-41300", "datePublished": "2021-09-30T00:00:00", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2021-09-30T10:41:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E80292D1-E3AD-42B6-A63E-3546010B97A3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", "matchCriteriaId": "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "19A28430-AB2B-423F-82D4-FC0E3A6DF335", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", "matchCriteriaId": "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", "matchCriteriaId": "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ECOA BAS controller\u2019s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality."}, {"lang": "es", "value": "La p\u00e1gina especial del controlador ECOA BAS muestra la cuenta de usuario y las contrase\u00f1as en texto plano, por lo que unos atacantes no autenticados pueden acceder a la p\u00e1gina y alcanzar privilegios con plena funcionalidad"}], "id": "CVE-2021-41300", "lastModified": "2021-10-07T14:34:36.233", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2021-09-30T11:15:07.923", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}